Effort infiltrates geopolitical sites mainly inRussia

Share via e-mail

SAN FRANCISCO — A Russian cybersecurity company issued a report on Monday saying that it had identified a sophisticated espionage campaign that has been in operation since 2007. The spy campaign targeted a range of government and diplomatic organizations, mostly in Eastern Europe and Central Asia, but also in Western Europe and North America.

Kaspersky Lab, the firm behind the discovery, said that digital clues suggested that the perpetrators were Russian-speaking but that the campaign did not appear to be the work of a nation-state.

However, as with a number of other alarming recent reports on computer spying, Kaspersky’s report offered few details that would allow for independent verification and did not specifically name the organizations affected.

In an interview, Kurt Baumgartner, a senior security researcher at Kaspersky Lab, said that among the several hundreds of victim organizations were ‘‘embassies, consulates, and trade centers.’’ Other sites included business organizations, energy companies, and the aerospace industry.

The vast majority of infected machines were based in Russia — where Kaspersky identified 38 — followed by Kazakhstan, where 16 infected machines were identified. Six infected machines were found in the United States.

Asked why Kaspersky decided not to identify the targets of the attack by name, Baumgartner said the firm’s investigation was continuing.

Baumgartner described the campaign as a ‘‘sophisticated and very patient multiyear effort’’ to extract geopolitical and confidential intelligence from computers, network devices such as routers and switches, and smartphones.

The malware was designed to extract files, e-mails and passwords from PCs, record keystrokes and take screenshots, and steal a user’s Web browsing history on Chrome, Firefox, Internet Explorer, and Opera browsers.

It could also pilfer contacts, call histories, calendars, text messages, and browsing histories from smartphones, including iPhones, Windows, Nokia, Sony, and HTC phones. And it collected information about installed software, including Oracle’s database software, remote administration software and instant messaging software, such as that made by Mail.Ru, a Russian e-mail and instant messaging service.

But Kaspersky said what set the campaign apart was the fact that the attackers engineered their malware to steal files that have been encrypted with a classified software, called Acid Cryptofiler, that is used by several countries in the European Union and NATO to encrypt classified information.

Researchers discovered several Russian words embedded in the malware’s code, suggesting the attackers are of Russian-speaking origin. For instance, the word ‘‘Zakladka’’ appears in the malware, which, in Russian and Polish, can mean ‘‘bookmark.’’ It is also a Russian slang term meaning ‘‘undeclared functionality’’ in computer software or hardware.

But as sophisticated as the malware was, Kaspersky said the methods attackers used to infect systems were not.